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(54) DIGITAL SIGNATURE SYSTEM 

(57)Abstract: 

PROBLEM TO BE SOLVED: To eliminate authenticator 
specification and to evade abuse of a signature by 
separating message signature information and 
authenticating right information obtained from a message 
and authenticating the message on the basis of the 
message signature information and authenticating right 
information. 

SOLUTION: A digital signature of the message consists 
of message signature information V14 and authenticating 
right information T15. Then a signature information 
generating means 1 generates the signature, which is 
authenticated by using an authenticating means 2,. 
Namely, an individual identifier IDA11, message signature 
information V14 obtained from an open message Ml 3, 
the identifier IDB12 of an opposite person which is made 
open, and authenticating information T obtained from the 
open message M13 are generated and outputted in a 
separated state. An authenticator B certifies whether or 
not the message has been sent from a legal body by 

using the obtained open message M13, message signature information V14, authenticating right 
information T, opposite- person open identifier IDA11. 
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[0006] 

[Embodiments] According to the present invention , own identifier, 
message signature information obtained from a public message, a 
public identifier of the other party, and the authentication right 
information obtained f rom the public mes sage are generated and output 
separately. An authenticating person proves whether the message 
is delivered from a legitimate person by the obtained public message, 
the message signature information, the authentication right 
information, and the other party's public identifier. Fig. 1 
depicts a specific example of the present invention. 

On the side of a signer, message signature information for 
authentication and authentication right information is generated 
by information concerning a key shared with the other party and 
message information. Namely, on the side of the signer, 

• A public message that is a plaintext is converted into key data 
that can be used as an encryption key. While a converting unit 
is not particularly limited if it is data corresponding to an 
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encryption algorithm to which the key is input, a one-way function 
is preferable because it makes correspondences between inputs and 
outputs complicated . 

• The key information is encrypted based on information shared with 
the sending end, namely, a shared key, preferably a shared key that 
is generated corresponding only to the other party's public 
identifier data . The resultant encrypted information is delivered 
or transmitted and output, as authentication right information. 
In addition to be output through ordinary analog or digital 
communication medium, the information can be recorded in recording 
medium including FDs (floppy disks) , MO disks, CDs, and magnetic 
tapes and then transmitted. 

• Furthermore, public identifier data and data obtainedby converting 
the message in a one-way manner are encrypted by using the key 
information as a key . The resultant encrypted data is then delivered 
or transmitted and output, as the message signature information. 
On the side of an authenticating person, 

• A person who proves whether the message is output from a legitimate 
signer obtains thepublicmessage, themessage signature information, 
and the authentication right information. 

• A shared key is generated based on the other party's public 
identifier and the authentication right information is decoded. 

• The message signature information is decoded using the decoded 



data as a key. 

• Furthermore, the other party's identifier and the message data 
are converted using the aforementioned one-way function. 

• The resultant data subjected to one-way function processing is 
compared to the decoded message signature data. If the data 
coincides with the message signature data, it is proved that the 
message is prepared by the legitimate signer. As described above, 
according to the present invention, the system that an identifier 
and another party's identifier are input so as to generate a shared 
key is utilized. Thus, easy handling is realized and anyone can 
utilize the present invention without special knowledge. It is 
presupposed that a KPS secret algorithm is obtained from a center 
authority possessing center algorithms. The KPS secret algorithm 
and the identifier or the like are based on a so-called KPS system. 
The system is referred to literatures such as Matsumoto and Imai, 
"Key Sharing without Communication: KEY PREDISTRIBUTION SYSTEM" , 
Journal of the Institute of Electronics, Information and 
Communication Engineers, Vol. J71-A, No. 11, pp. 2046-2053, Nov. 
1998. The present invention includes a plurality of algorithms 
such as a secret algorithm for signature and a secret algorithm 
for authentication. The different secret algorithms are obtained 
by a center algorithm that different identifiers such as a general 
identifier and a signature identifier are possessed by a center 
or a plurality of center algorithms corresponding to characters 
of a plurality of identifiers. The center is configured by an 



unmanned or manned device. At least, the center manages center 
algorithms externally and safely, prepares secret algorithms, and 
outputs them. 

[0007] 

5 [Embodiments] Fig. 1 of the accompanying drawings is a block 
diagram of the present invention. Reference numeral 1 represents 
a signature information creating unit that is possessed by a signer 
and is, for example, a personal computer or a digital computation 
device such as a digital computation circuit. Particularly, a 

10 device with tamper- resistance that internal information is hardly 
taken out and can be provided in the form of an IC card is preferable 
as the signature information creating unit. Reference numeral 2 
represents an authentication unit that is possessed by an 
authenticating person and is, like the signature information 

15 creating unit 1, for example, a personal computer or a digital 
computation device such as a digital computation circuit. Also, 
a device with tamper-resistance that internal information is hardly 
taken out and can be provided in the form of an IC card is preferable 
as the authentication unit. When the signature information 

20 creating unit 1 and the authentication unit 2 are configured by 
a personal computer, components that configure the embodiment of 
the present invention are realized by software such as programs. 
Reference numeral 3 represents an encryption device that includes 
an encryption algorithm and converts a plaintext to a ciphertext 

25 by input of key data . Examples of the encryption algorithm include , 
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but are not limited to, DES (Data Encryption Standard) and FEAL 
cipher (Shimizu, Miyaguchi, and Ohta: "Fast Data Encipherment 
Algorithm FEAL" , Technical Report of the Institute of Electronics, 
Information and Communication Engineers (Information Theory) , 
5 VOL.80, No. 113, IT86-33, PP. 1-6, (1986)). Reference numeral 4 
represents a decoder that includes a decoding algorithm 
corresponding to the aforementioned encryption algorithm and 
converts a ciphertext to a plaintext by input of key data. The 
same key data is used for the encryption device 3 and the decoder 

10 4. Reference numeral 5 represents a one-way data converting unit 
that includes a hash function and .outputs a single or a plurality 
of inputs as one-way data. Reference numeral 6 represents a shared 
key generating unit that generates a shared key that can utilize 
a shared data generating algorithm described in literatures, such 

15 as Blom "Non-Public key Distribution", Advances in Cryptology: 
Proceedings of CRYPTO f 82, Plenum Press, 1983, pp. 231-236. 
Reference numeral 7 represents an authentication secret key 
generator with the same structure as that of the shared key generating 
unit describe above. Reference numeral 8 represents a general ID 

20 converter that converts data, which is an assembly of codes and 
symbols specific to users such as IDs, namely identifiers, for 
example, data of telephone number and birth date used in ordinary 
life, in a one-way manner to data that is suitable for input to 
the subsequently connected secret key generating device . The 

25 general ID converter 8 has a structure described in literatures, 
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such as Matsumoto, Takashima, and Imai, "Portable ID Conversion 
- Structure of One-Way Algorithm" , Technical Report of IEICE, IT89-23, 
July, 1989 . Reference numeral 9 represents a signature ID converter 
and has the same structure as that of the general ID converter 8 . 
5 Reference numeral 10 represents a comparator to which a plurality 
of data are input and which outputs the results of determination 
such as their match or mismatch. Reference numeral 11 represents 
a signer's identifier that is, as described above , a code, a symbol, 
or data that is specific to users and used in a semi-fixed manner, 

10 or a combination thereof. The identifier is preferably combined 
data that is easily handled, such as birth date or telephone number . 
Reference numeral 12 represents an authenticating person's 
identifier with the contents described above. Reference numeral 
13 represents a message that is data prepared by a signer or existent 

15 data. Reference numeral 14 represents message signature 
information and Reference numeral 15 represents authentication 
right information. 

[0008] An operation of the embodiment of the present invention 
based on the above structure will be described below. A digital 
20 signature of a message is configured by: 

[Expression 1] Message signature information VI 4 and Authentication 
right information T15. 

The digital signature is made by the signature information creating 
unit 1 and authenticated by the authentication unit 2 . The s igna ture 
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is made by the following process. A message 
[Expression 2] Ml 3 

is input to the signature information creating unit 1 (a signer 
is indicated by "A" in this example) . The message 

5 [Expression 3] Ml 3 

is input together with an identifier 

[Expression 4] IDA 11 

of the signer A, to the one-way data converting unit 

[Expression 5] h5. 

10 An output of the one-way data converting unit, namely , an 
authenticator 

[Expression 6] h(IDA||M) 

is input to the encryption device 

[Expression 7] E3 

15 and encrypted using a message-specific key 

[Expression 8] KAM, 

so that message signature information 

[Expression 9] VI 4: 

[Expression 10] V=EKAM (h (IDA | |M) ) 
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is generated. Next, a description will be given of generation of 
the message-specific key 

[Expression 11] KAM. The message 

[Expression 12] M13 

is input to the one-way data converting unit 
[Expression 13] h5 . 
An output 

[Expression 14] h (M) 

of the one-way data converting unit is input to the general ID 
converter 

[Expression 16] f8 

that converts the output so as to have a format to be input to the 
signer's shared key generating unit 

[Expression 15] XA6 

(for example, a secret algorithm for Key Predistribution System 
(KPS) ) . The message-specific key is obtained by inputting the 
output of the general ID converter to the signer's shared key 
generating unit 

[Expression 17] XA6 , 

and the output result is 
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[Expression 18] KAM. 

Generation of the authentication right information 
[Expression 19] T 

is described below. An identifier 
[Expression 20] IDB 12 

of an authenticating person (indicated by "B" in this example) is 
input to the signature information creating unit 1 . The identifier 

[Expression 21] IDB 12 

of the authenticating person is input to the signature ID converter 
[Expression 22] fV9 . 

An output of the ID converter is input to the signer's shared key- 
generating unit 

[Expression 23] XA6, 

so that a signature key 

[Expression 24] kABV 

is generated. The message-specific key 
[Expression 25] kAM 
is input to the encryption device 
[Expression 26] E3, 



and encrypted using the signature key 
[Expression 27] kABV. 

Accordingly, the authentication right information 
[Expression 28] T15: 
5 [Expression 29] T=EkABV (KAM) 
is generated. The message 
[Expression 30] M13, 
the message signature information 
[Expression 31] V14, 
10 and the authentication right information 
[Expression 32] T15 

are sent to the authenticating person. Authentication of the 
digital signature is performed by the following process. The 
authenticating person inputs the identifier 

15 [Expression 33] IDA11 

of the signer to the authentication unit 2 . The identifier 

[Expression 34] 1DA11 

is input to the general ID converter 
[Expression 35] f 8 . 

10 



An output of the general ID converter is input to the authentication 
secret key generating unit, and an authentication key 

[Expression 36] kBVA 

is output. The authentication key 

[Expression 37] kBVA 

is subjected to only a decoding processing because of the 
tamper-resistance of the authentication unit 2 . The authentication 
right information 

[Expression 38] T15 

input to the authentication unit 2 is input to the decoder 
[Expression 39] D4, 

and decoded using the authentication key, 

[Expression 40] kBVA 

so that the message-specific key 

[Expression 41] kAM 

is decoded. The message signature 

[Expression 42] V14 

input to the authentication unit 2 is input to the decoder 
[Expression 43] D4, 
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and decoded using the message-specific key 
[Expression 44] KAM. 

Accordingly, a decoded authenticator 
[Expression 45] DKAM(V) 
5 is output. On the other hand, the message 
[Expression 46] Ml 3 

is also input to the authentication unit 2 , together with the signer ' s 
identifier 

[Expression 47] IDA11, 
10 to the one-way data converting unit 
[Expression 48] h5, 
so that an authenticator 
[Expression 49] h(IDA| |M) 

is generated. The decoded authenticator 
15 [Expression 50] DKAM(V) 

and the generated authenticator 
[Expression 51] h(IDA||M) 

are input to a comparator Comp 10 . If they coincide with each other, 
11 OK" is output. On the other hand, if they do not coincide with 

12 



each other, "NG" is output. According to the embodiment, although 
the message signature information 

[Expression 52] V14 

and the authentication right information 
[Expression 53] T15 

are generated at one time, a signer can generate only new 
authentication right information 

[Expression 54] T' 

from a message 

[Expression 55] M13 

and a new identifier 

[Expression 56] IDB' . 
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